May 12: TeamPCP open-sourced the Shai-Hulud worm on GitHub. Datadog mapped its module pipeline (Loader/Provider/Collector/Dispatcher/Sender/Mutator) and Claude Code SessionStart hook for persistence. May 15: BreachForums opened a paid attack challenge. Detection notes for the copycat wave.
Malicious node-ipc 9.1.6/9.2.3/12.0.1 fire on require(), not postinstall. 12.0.1 is SHA-256 gated (targeted), so a working app isn't safe. Exfils dev/CI secrets via DNS TXT.
TanStack npm compromise (42 pkgs / 84 versions, CVE-2026-45321 CVSS 9.6) on May 11, 2026 UTC spread across UiPath (60+), Mistral, OpenSearch, guardrails-ai, Checkmarx Jenkins. Covers token-revoke wipe ordering, first valid SLSA provenance on malicious npm, and Vect ransomware secondary wave (wiper, not real ransomware). Live tracking.
Cold install benchmarks from a Next.js 16 + Shadcn/ui + Railway monorepo show pnpm at half npm's time, but the real story is Radix UI's undeclared dependencies breaking under strict hoisting. A practical look at .npmrc tuning, Bun's flat structure trade-off, and where Next.js dependency weight dominates.
CVE-2026-40175: unrelated to the March supply-chain compromise. axios's config merge picked up tainted Object.prototype values and passed them through as HTTP headers without CRLF validation, chaining to SSRF. Fixed in 1.15.0.
36 malicious npm packages disguised as Strapi CMS plugins were published by 4 sock-puppet accounts. 8 payload variants deployed Redis crontab injection, PostgreSQL direct access, reverse shells, and persistent implants. The target appears to be crypto exchange Guardarian.
Follow-up to the axios compromise. Public reporting from GitHub, Socket, Google, and Microsoft shows UNC1069/Sapphire Sleet used the same social-engineering playbook against maintainers tied to Mocha, Fastify, Lodash, dotenv, and Node.js core.
The axios postmortem from maintainer Jason Saayman lays out the full social-engineering chain: a fake company Slack workspace, a fake Teams meeting, and a RAT that took over the machine. 2FA and OIDC were both bypassed.
A summary of how source maps bundled in the Claude Code npm package made over 510k lines of TypeScript visible, and how a branch-name command injection in OpenAI Codex could have allowed theft of GitHub tokens.
A fake dependency plain-crypto-js was injected into axios 1.14.1 and 0.30.4 to install a RAT dropper via a postinstall hook. Complete attack chain from maintainer account compromise to C2 communication and self-deletion.
GlassWorm has expanded to 72 Open VSX extensions, 151 GitHub repositories, and 88 npm packages, while a new supply-chain technique now abuses extensionDependencies as a delivery channel.
A prompt-injection attack in a GitHub issue title tricked an AI triage bot into stealing npm tokens, which were then used to publish a malicious package in a five-step supply-chain attack chain.
